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                        WEDNESDAY, APRIL 9, 2008

                  House of Representatives,
            Subcommittee on Government Management, 
                     Organization, and Procurement,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:10 p.m. in 
room 2247, Rayburn House Office Building, Hon. Edolphus Towns 
(chairman of the subcommittee) presiding.
    Present: Representatives Towns and Bilbray.
    Staff present: Michael McCarthy, staff director; William 
Jusino, professional staff member; Kwane Drabo, clerk; Janice 
Spector, minority senior professional staff member; and 
Benjamin Chance; minority professional staff member.
    Mr. Towns. The committee will come to order.
    Welcome to today's hearing on Federal Security. This 
hearing will review two important elements of Federal security: 
identification cards for Federal employees and contractors, and 
background checks and security clearances.
    In 2004, President Bush issued an order titled HSPD-12, 
adding new requirements in these areas designed to heighten 
security. In today's hearing we will examine how it is working.
    There is a lot at stake with these issues. HSPD-12 helps 
prevent criminals and terrorists from exploiting Federal ID 
cards to get access to Federal buildings and computers. 
Counterfeiters are always hard at work to create phony 
documents and IDs, so we also have to work hard to stay ahead 
of them.
    I support this kind of effort, but we have to be careful; 
otherwise, our eagerness to improve security can lead to 
increased spending without gains in security. That is why I 
joined with the ranking member, Mr. Bilbray, in asking GAO to 
review HSPD-12 on the basis of both security and efficiency.
    We are releasing their reports today. On the positive side, 
GAO found that agencies have made a lot of progress in making 
sure all their employees have the appropriate background 
checks, and we salute you for that. But GAO has also found that 
agencies are making very little progress in issuing the new ID 
cards and, more importantly, are not even using their new 
security features.
    GAO measured progress in eight agencies, and the numbers 
are grim. At the Department of Commerce, 54,000 employees need 
cards, but as of December only 23 had been issued. Of the 
90,000 employees at the Department of Interior, only 17 had 
received new cards. For the 6,000 employees at the Nuclear 
Regulatory Commission, just 1 card had been issued.
    These types of numbers raise serious questions about 
whether HSPD-12 is working as intended. What is even more 
troubling is GAO's finding that, even when cards have been 
issued, the security features are not being used. These 
features are what makes the new cards so much more secure and 
also much more expensive--about $80 to issue and to maintain 
each card in the first year. If agencies do not use these 
security features, they are just wasting money.
    Agencies aren't gaining anything from the new cards if 
employees just wave them at the security officer instead of 
putting them through a reader, but they are still spending a 
lot of money issuing the cards.
    Today I hope we can learn more about how to get this 
program on track so all of this money being spent actually 
makes the Federal Government more secure, not wasting money.
    [The prepared statement of Hon. Edolphus Towns follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Mr. Towns. At this time I would like to yield to the 
ranking member, Mr. Bilbray.
    Mr. Bilbray. Thank you, Mr. Chairman. Mr. Chairman, I thank 
you for this hearing. I appreciate the witnesses showing up 
this afternoon.
    Let me just say that I really have a big concern. When you 
read the 9/11 Commission's report on the state of national 
security, one of their No. 1 recommendations right out of the 
chute was that America has to get serious about secure IDs, not 
just in the Government but around our country. But by far the 
Federal Government needs to lead through example.
    How many years later are we now saying we are still working 
on it, we are trying to move the ball ahead? And I think a lot 
of it is almost reminiscent of what we went through, Mr. 
Chairman, a couple of years ago with body armor for our troops 
in Iraq, that people said yes, we want to get it there, we want 
to deploy it, we want to get it into the hands so that it can 
be used for protecting our troops. Well, ladies and gentlemen, 
secure IDs are the body armor of homeland security. It is 
sometimes the first and sometimes the last line of defense 
against a terrorist attack, as the 9/11 Commission said.
    I would like to just add a degree of urgency to the 
execution of this directive, that it is not just a nice thing 
to do, it is an essential thing to do. God forbid if we have 
another attack. I will tell you right now I can guarantee you 
that the lack of a uniform enforceable identification system is 
going to be raised again, and I don't think any of us in this 
room want to be caught in the position of saying yes, you are 
right, we just didn't think it was that important. It is of 
major importance that I do not think we can overstate when it 
comes down to the fact of knowing who are or who isn't going 
into our Government facilities and how we are setting examples 
for States and counties and cities to do the same with their 
identification system.
    So, Mr. Chairman, I appreciate the hearing. I appreciate 
the chance to be updated on the situation, and hopefully what 
we can do is learn from our mistakes, raise the degree of 
urgency, and move forward with a successful implementation 
plan.
    I yield back, Mr. Chairman, and again thank you.
    [The prepared statement of Hon. Brian P. Bilbray follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Towns. Thank you very much.
    It is a longstanding policy that we swear our witnesses in, 
so if you would be kind enough to please stand and raise your 
right hands.
    [Witnesses sworn.]
    Mr. Towns. Let the record reflect that all of them answered 
in the affirmative.
    We are delighted to have with us today the Honorable Karen 
Evans, Administrator for Electronic Government and Information 
Technology, Office of Management and Budget. Welcome.
    We are also happy to have Kathy Dillaman, Associate 
Director of Investigations, Office of Personnel Management. 
Thank you. Welcome.
    Ms. Linda Koontz, Director, Information Management Issues, 
Government Accountability Office. Thank you. Good to see you 
again. Accompanied by Ms. Brenda Farrell, Director of Defense 
Capabilities and Management of the Government Accountability 
Office.
    Also, Mr. Michael Sade, Acting Deputy Assistant 
Commissioner, Office of Integrated Technology Service, Federal 
Acquisition Service, General Services Administration. What a 
title.
    Mr. Thomas Wiesner, Deputy Chief Information Officer for 
the Office of the Assistant Secretary for Administration and 
Management, Department of Labor.
    Why don't we just go right on down the line, starting with 
you, Ms. Evans, and just come right down the line. Thank you. 
Thank you so much.
    We would like you to summarize in 5 minutes. Of course, we 
have a light there that comes on. Of course, it starts out as 
green, and then it turns to caution. That means begin to sum 
up. And then red means to stop up.
    We will start with you, Ms. Evans.

    STATEMENTS OF KAREN EVANS, ADMINISTRATOR FOR ELECTRONIC 
GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND 
 BUDGET; KATHY DILLAMAN, ASSOCIATE DIRECTOR OF INVESTIGATIONS, 
    OFFICE OF PERSONNEL MANAGEMENT; LINDA KOONTZ, DIRECTOR, 
   INFORMATION MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY 
   OFFICE; ACCOMPANIED BY BRENDA FARRELL, DIRECTOR, DEFENSE 
CAPABILITIES AND MANAGEMENT, GOVERNMENT ACCOUNTABILITY OFFICE; 
 MICHAEL SADE, ACTING DEPUTY ASSISTANT COMMISSIONER, OFFICE OF 
  INTEGRATED TECHNOLOGY SERVICE, FEDERAL ACQUISITION SERVICE, 
  GENERAL SERVICES ADMINISTRATION; AND THOMAS WIESNER, DEPUTY 
   CHIEF INFORMATION OFFICER FOR THE OFFICE OF THE ASSISTANT 
  SECRETARY FOR ADMINISTRATION AND MANAGEMENT, DEPARTMENT OF 
                             LABOR

                    STATEMENT OF KAREN EVANS

    Ms. Evans. Good afternoon, Mr. Chairman and members of the 
subcommittee. Thank you for inviting me to discuss the 
administration's implementation of Homeland Security 
Presidential Directive 12. Protection of our Federal facilities 
and information systems is priority for the administration, and 
my remarks today will focus on the progress we have made in 
improving security through the implementation of HSPD-12. 
Details have been included in my written statement.
    Prior to HSPD-12 there were wide variations in the quality 
and security of forms of identification used by Federal 
employees and contractors to gain access to Federal facilities 
and information systems. The directive enhances security, 
increases Government efficiency, reduces identity fraud, and 
protects personal privacy by establishing a mandatory, 
Government-wide standard.
    The intent of HSPD-12 is to allow agencies to grant access 
based on risk-based access control decisions; however, we must 
also protect the personal information of Federal employees and 
contractors. HSPD-12 implementation is grounded in the 
longstanding policy framework overseen by OMB, and the agencies 
must follow existing privacy and security law and policies to 
ensure our employee and contractor information is protected and 
appropriately used.
    Following the issuance of the FIPS 201 standard, NIST and 
GSA established a performance and interoperability program to 
ensure programs are certified with the standard. Currently, 
there are approximately 350 products and 33 system integrators 
on the Government certified and approved services and products 
listing maintained by GSA. NIST and GSA have also issued 
various publications and guidance to support interoperability 
and the use of credentials.
    It is essential for Federal agencies to be interoperable if 
we are to significantly improve the security of our Federal 
systems and facilities.
    To ensure agencies are on track with their HSPD plans, OMB 
has taken steps to closely monitor agency implementation 
progress and completion of the key activities. In September 
2006, OMB asked agencies to submit updated implementation 
plans. As part of their plans, we requested agencies to include 
the integration of physical and logical access control systems 
using the PIV credentials and how they intend to use the 
capabilities of the credentials to the fullest extent possible 
to address cyber-security weaknesses and to improve physical 
access control.
    In January 2007 OMB issued guidance requiring quarterly 
reporting on the status of background investigations and the 
number of PIV credentials issued. On October 26, 2007, OMB also 
issued a memorandum providing updated instructions for public 
reporting of the implementation status, and we requested 
additional information on background investigation status and 
major milestones, as outlined in the agency plans.
    We are ensuring that agency status is transparent and 
accessible to the public.
    As of March 1, 2008, agencies reported 2.5 million, or 59 
percent, of their employees, which includes military personnel, 
and over 500,000, or 42 percent, of the contractors had 
completed their background investigations.
    The PIV credentials have been issued over 140,000, or 3 
percent of employees, and just 36,000 or 3 percent of the 
contractors.
    As part of our oversight role, OMB will continue to use 
quarterly reporting mechanisms along with agency information 
technology budget planning documents to track key performance 
metrics for HSPD-12 compliance.
    Over the past three-and-a-half years the executive branch 
has made steady progress in achieving the goals of the 
Presidential directive. HSPD-12 is part of the administration's 
overall plans to enhance security, and it is closely aligned 
with other ongoing security initiatives and plans for improving 
physical security to implement the recommendations of the 9/11 
Commission.
    With evaluating the physical security, information 
security, and human resources business practices, the executive 
branch is applying a consistent, risk-based approach to 
physical and information systems security that will improve our 
overall security and reduce cost.
    We look forward to working with the members of this 
committee and appreciate your continued support in improving 
the security posture. I will be glad to answer questions at the 
appropriate time.
    [The prepared statement of Ms. Evans follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Towns. Thank you very much, Ms. Evans.

                  STATEMENT OF KATHY DILLAMAN

    Ms. Dillaman. Good afternoon. Chairman Towns, members of 
the subcommittee, it is my privilege to testify today on behalf 
of the Office of Personnel Management on the implementation of 
HSPD-12 and the status of the background investigations 
program.
    OPM's mission is to ensure that the Federal Government has 
an effective work force. To accomplish this mission, we conduct 
over 2 million background investigations each year for Federal 
agencies to assist them in making decisions relating to 
identity verification, basic suitability, and eligible for 
security clearances.
    HSPD-12 requires agencies to initiate, at a minimum, a 
national agency checks with written inquiries level 
investigation or any other standard level of investigation 
required for Federal employment prior to issuance of a PIV 
card.
    The national agency check portion of the investigation 
includes searches of the investigative files maintained by the 
Office of Personnel Management, the Department of Defense, the 
FBI, and a fingerprint-based criminal history check.
    Agencies may issue new PIV card after the fingerprint check 
has been completed, which is typically within the first 24 
hours after an investigation is scheduled.
    Last year, OPM received 285,000 requests for the NACI level 
investigation. That was an increase of over 113,000 from the 
previous year. This type of investigation is almost entirely 
automated. It includes electronic processes for the exchange of 
information between OPM and many Federal, State, and local 
agencies.
    Automated letters of inquiry are also sent to former 
employers, supervisors, educational institutions, and other 
references to identify potential suitability or security 
concerns.
    The advanced fingerprint check results and the full 
investigative results may be sent to the requesting agencies 
electronically, as well.
    Given the automated nature of a NACI investigation, the 
overall impact on OPM's investment program with this increased 
workload has been minimal, and we have successfully expanded 
our work force to process the additional workload without 
negatively impacting on the timeliness of our national security 
investigations.
    This increased workload did, however, have an impact on a 
number of the records we asked for from Federal, State, and 
local agencies. We have been working closely with them to 
increase their processing capacity, automate information 
exchanges whenever possible, and improve the time required to 
obtain those necessary searches.
    To support adjudication of these investigations, in 
December 2007, OPM issued interim standards for agencies to 
apply when determining whether to issue or revoke PIV cards to 
their employees or contractor personnel. Agencies are now 
reviewing the standards, and an interagency working group will 
be formed to address their implementation concerns prior to 
issuing final standards later this year.
    I would also like to provide you with an update of where we 
are with processing national security investigations. The 
Intelligence Reform and Terrorism Prevention Act of 2004 set 
timeliness standards for the overall security clearance 
process. I am pleased to report that, overall, OPM and 
clearance granting agencies are meeting and exceeding the 
standards of completing 80 percent of initial security 
clearance determinations in an average of 120 days or less. 
There is no longer a backlog of investigations due to 
insufficient resources.
    To meet the act's standard, we first focused on the 
timeliness and quality of the agencies' submissions for 
investigations. By increasing the use of OPM's Web-based 
electronic questionnaire for investigations processing instead 
of sending by paper, we have reduced the time required to 
request investigations to 14 days and dropped the rejection 
rate to about 7 percent.
    Today over 83 percent of all submissions for national 
security investigations are electronic, not paper, and 14 
agencies are submitting all of their requests online.
    Within the 120-day standard the act specifically required 
that 80 percent of the background investigations that support 
the clearances be completed within an average of 90 days. We 
are exceeding this goal.
    Of the 586,000 investigations OPM opened last year for 
national security clearances, 80 percent were completed in an 
average of 67 days.
    After completing the investigation, it is returned to the 
employing agency for adjudication. The act further established 
a standard for agencies to adjudicate 80 percent of the initial 
clearances in an average of 30 days or less. Last fiscal year 
for actions reported, agencies adjudicated 80 percent of the 
completed investigations in an average of 28 days, which 
included up to 14 days of mail and handling time between OPM 
and the Federal security offices.
    To streamline and minimize the time required to transmit 
completed investigations between OPM and the agencies, we have 
implemented a state-of-the-art imaging system that allows us to 
transmit completed investigations to agencies electronically, 
eliminating mail and reducing handling time.
    We continuing to optimize the current process by 
maintaining adequate staffing, building partnerships with 
information suppliers, and through greater use of information 
technology. We are also partnering with the Office of the 
Director of National Intelligence and DOD for more significant 
reforms to the overall security clearance processes. This 
reform effort is challenging traditional processing from 
application through adjudication. The ultimate outcome of this 
effort will be a Government-wide system that continues to 
protect national security through more modern processes that 
are secure, dependable, scaleable, time-, and cost-efficient.
    That concludes my remarks. I would be happy to answer any 
questions you may have.
    [The prepared statement of Ms. Dillaman follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Towns. Thank you very much.
    Ms. Koontz.

                   STATEMENT OF LINDA KOONTZ

    Ms. Koontz. Good afternoon. Mr. Chairman and members of the 
subcommittee, I appreciate the opportunity to discuss our work 
on the Federal Government's progress in implementing Homeland 
Security Presidential Directive 12 and challenges in the 
Department of Defense's personnel security clearance process.
    Brenda Farrell is with me today. She is responsible for 
GAO's work on the security clearances and can address any 
questions that you might have on that subject.
    First, I would like to summarize our report on HSPD-12 that 
is being released today. As you know, the directive was 
intended to increase the quality and security of identification 
practices across the Federal Government and called for the 
establishment of a mandatory, Government-wide standard for 
secure and reliable forms of identification. Much work has been 
accomplished to lay the foundations for implementing this 
directive, which we recognize as a major Government 
undertaking.
    However, agencies have made limited progress in using the 
full suite of sophisticated electronic capabilities built into 
these smart card based ID cards. As a result, at the time of 
our review, agencies had realized only marginal improvements in 
heightening security. More specifically, the eight agencies we 
reviewed had generally done basic foundation work, such as 
completing background checks on most of their employees and 
contractors, and beginning to acquire essential equipment, such 
as card readers. However, none of agencies met OMB's goal of 
issuing ID cards by October 27, 2007, to all employees who had 
been with the agency 15 years or less and to contractor 
personnel.
    Further, for the limited number of cards that had been 
issued, agencies generally were not using the electronic 
authentication capabilities of the cards which are critical to 
improving security, and instead were primarily relying on 
visual inspection, much as previous ID cards had been used.
    Most agencies we looked at had also not developed detailed 
plans as to when they would be able to use these critically 
important capabilities.
    This has occurred largely because OMB's implementation 
strategy has focused on card issuance rather than on agencies 
establishing complete security systems, of which the new cards 
are only one part.
    We made a number of recommendations to OMB, including that 
it establish milestones for completing the complete security 
systems needed to optimize use of the cards and to align 
acquisition of the cards with the implementation of these 
systems.
    In commenting on our report, OMB neither agreed nor 
disagreed with these recommendations. However, until OMB takes 
action to address the issues we identified, agencies will 
likely continue to make limited progress in using the cards to 
improve security over Federal facilities and systems.
    Regarding personnel security clearances, our past reports 
have identified delays and impediments in DOD's personnel 
security clearance program which maintains about 2.5 million 
clearances. These longstanding delays resulted in our adding 
the DOD security clearance program to our high-risk list in 
2005.
    Over the past few years several positive changes have been 
made to the clearance processes because of increased 
congressional oversight, recommendations from our body of work, 
new legislative and Executive requirements, most notably the 
passage of the Intelligence Reform and Terrorism Prevention Act 
of 2004.
    An important step forward is the formation of an 
interagency team that plans to address past impediments and 
manage security reform efforts. The President has called for 
this interagency team to provide this reform proposal no later 
than the end of this month; however, much work remains to be 
done before a new system can be implemented.
    That concludes my summary, and Ms. Farrell and I would be 
happy to answer questions at the appropriate time.
    [The prepared statement of Ms. Koontz follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Towns. Thank you very much.
    Mr. Sade.

                   STATEMENT OF MICHAEL SADE

    Mr. Sade. Good afternoon, Chairman Towns and Ranking Member 
Bilbray. Thank you for the opportunity to participate on 
today's panel to discuss GSA's initiatives implementing HSPD-
12, including the establishment of Government-wide standards 
for secure, reliable forms of identification for Federal 
Government employees and contractors.
    I am pleased to report that, working with our agency 
customers, we have successfully deployed a complex set of 
technologies in credential issuing. We have packaged these 
technologies in an effective and cost-efficient manner to 
provide agencies with solutions they need at prices they can 
afford with a business model that is sustainable into the 
future.
    To facilitate Government-wide implementation of the 
Presidential directive and the requirements that all HSPD-12 
implementations be interoperable, GSA took a lead role for the 
Government-wide implementation. As an initial step, GSA began 
to dialog with Federal agencies that were faced with the 
technical, operational, funding, and schedule challenges to 
meet HSPD-12 requirements.
    Next, we established the U.S. access program to offer 
Federal agencies a compelling solution to meet these 
challenges. Through the U.S. access program, GSA offers 
participating agencies a managed shared-service solution that 
simplifies the process of procuring and maintaining the PIV 
compliant credentials, while at the same time meeting the 
demanding HSPD-12 milestones for credential issuing.
    The program provides a common infrastructure that is shared 
by all participating agencies. This allows the cost of building 
and managing this complex infrastructure to be shared, rather 
than having each agency attempt to build separate redundant 
systems on their own.
    GSA also provides the project acquisition and financial 
management support necessary to help participating agencies 
receive the U.S. access service.
    Since launch of the program in 2006, the U.S. access 
program has enrolled approximately 70 Federal agencies 
representing the potential to issue between 850,000 to 1 
million cards to Government employees. This program serves as 
an example of how infrastructure and program management 
expenses can be shared across agency participants to provide 
overall cost savings for the Government, while improving 
service quality and decreasing implementation risk.
    Specifically agency benefits include centralized program 
management, which alleviates Federal agencies from having to 
manage their own in-house HSPD-12 compliant products, built-in 
HSPD-12 policy compliance. GSA has evaluated the technology to 
ensure it meets HSPD-12 requirements. Reduce capital 
expenditures--using a shared service model, the U.S. access 
program has adopted a simplified, per-credential fee system 
that eliminates the large up-front cost typically encountered 
with implementing new information technology infrastructures. 
And, finally, enhanced security. Federal agencies can trust the 
credentials issued under the U.S. access program by GSA.
    There are currently more than 57 U.S. access program 
enrollment centers located in more than a dozen States, with 
the majority being in the D.C. area. Ultimately, there will be 
225 enrollment centers across the country, 25 of which will be 
mobile.
    GSA additionally sponsors a Government-wide HSPD-12 forum 
for coordination of implementation activities, common issue 
resolution, and direction through the Federal Identity 
Credentialing Committee.
    In summary, GSA has created an innovative, full-service 
program to assist agency customers in meeting HSPD-12 
requirements and schedule milestones. Significant progress has 
been made to deliver cost-effective agency solutions to all 
HSPD-12 challenges and to develop a sustainable business model.
    I thank you for the opportunity to testify today, and I am 
happy to answer any questions you may have.
    [The prepared statement of Mr. Sade follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Towns. Thank you very much.
    Mr. Wiesner.

                  STATEMENT OF THOMAS WIESNER

    Mr. Wiesner. Good afternoon, Mr. Chairman and members of 
the subcommittee. Thank you for inviting me here today to 
discuss the Department of Labor's HSPD-12 program. We share a 
common interest in protecting employees, facilities, and 
information systems.
    As reported in our March report to OMB, we have issued PIV 
cards to over 10,000 of the 15,000 employees at DOL. We have 
issued PIV cards to over 1,200 of the 2,400 contractors. 
Overall, DOL has completed PIV card issuance to 66 percent of 
employees and contractors.
    Consistent with the Department's implementation plan, 
enrollment and issuance of PIV cards continue. Our strategy 
leverages mobile deployment using DOL resources and what we 
refer to as a travelers program. This program was established 
to allow eligible employees, when on official travel, to obtain 
a PIV card from one of our existing issuing sites located 
around the country.
    As required, PIV cards are issued upon fingerprint results 
and the initiative of background investigations. To date, 90 
percent of our employees have an adjudicated investigation, 
along with 35 percent of our contractors. We are working toward 
completion of all adjudicated investigations by the October 
2008 milestone.
    The Department's efforts to date are derived from the 
Presidential Directive and OMB guidance. The Department has 
also complied with OMB's guidance relative to products and 
services for use in implementing PIV; that is, vendors and 
components used by the Department are in conformance with the 
applicable NIST specifications and approval by the GSA 
evaluation program office.
    To meet the first phase of PIV compliance, planning began 
in late 2004 to establish requirements for a Federal personnel 
identification system that meets the control and security 
objectives of the directive. A certified process was completed 
and approved in October 2005.
    To meet the second part of the PIV compliance, the 
Department, consistent with our internal information technology 
governance, developed the program as an IT investment. In early 
fiscal year 2006 the Department conducted a performance 
analysis of our legacy badge system to identify functionality 
and technical gaps between this system and the PIV II 
requirements. As a result, the system was identified as not 
compliant with FIPS 201 requirements.
    Without a PIV II compliance solution that would meet the 
mandated security and technology guidelines, the Department 
conducted market research to identify viable alternatives to 
comply with HSPD-12 requirements. Potential alternatives 
included relying exclusively on shared services offered by the 
GSA or the Department of Interior, Department of Labor-owned IT 
solutions to cover all Federal and contractor employees 
throughout the country, or a hybrid model that utilized a 
Labor-owned IT solution to conduct PIV card activities in 
facilities with high concentrations of employees, while using a 
shared service for facilities with small employee populations, 
where deployment of IT infrastructure would be cost 
prohibitive.
    In the absence of an existing DOL IT solution for identity 
management, and at the time the emerging status of constraints 
and schedule capabilities and unknown costs associated with a 
shared service solution, the Department in April 2006 decided 
to move forward with the hybrid option of the Labor-owned IT 
solution, with plans to use GSA shared services as they became 
widely available.
    Later this year, DOL plans to utilize GSA shared service 
sites for our employees who are yet to be issued a PIV card, 
particularly remote locations with small DOL populations.
    The Department is already leveraging the PIV card in our 
Boston and New York regions, where regional staff worked with 
the GSA to use the DOL PIV card for physical access control.
    In addition, the Department has initiated planning 
activities associated with the deployment of the physical 
access control system at DOL headquarters. Our plans are to 
begin with a pilot of this technology at one facility in 
Washington, DC, later this year. Simultaneously, in fiscal year 
2009, we will begin planning activities associated with the use 
of PIV cards for access to information systems through the 
deployment of logical access control system technology.
    To date, the deployment of HSPD-12 solution has enabled the 
Department to streamline and tighten the processes associated 
with identity verification and PIV card issuance. The 
Department's goal is to extract the full potential benefits of 
this HSPD-12 investment.
    In conclusion, the HSPD-12 program is a core element of our 
business and operational culture at the Department of Labor. 
Secretary Chao, Chief Information Officer Pizzella, agency 
senior management, and our dedicated employees are committed to 
the success of the Department's HSPD-12 program.
    Mr. Chairman, thank you for the opportunity to provide a 
brief outline of the Department of Labor's approach to HSPD-12. 
I would be happy to answer any questions.
    [The prepared statement of Mr. Wiesner follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Mr. Towns. Thank you very much. Thank you all very much.
    Let me start out with you, Ms. Koontz. Do you think the 
Federal Government buildings an information systems are more 
secure today as a result of HSPD-12?
    Ms. Koontz. Mr. Chairman, I think we have to say that there 
has been a marginal improvement in security. One of the aspects 
of the new standard is to provide for a uniform way of doing 
background checks on all Federal employees before credentials 
are issued, and this is being implemented by all Federal 
agencies, and they have, in fact, completed most of the 
background investigations as of this point in time, so I think 
that is something that does increase security.
    To the extent that agencies are using any of the electronic 
capabilities in the cards, that is an improvement; however, we 
have to point out that the majority of agencies are not yet in 
the position to use the electronic authentication capabilities 
in the cards, so in those cases what we have is a large outlay 
for expensive cards, and we are not receiving associated and 
corresponding benefits to security.
    Mr. Towns. So let me put it this way. What has been wasted? 
Have you assessed that?
    Ms. Koontz. I could not give you a number to quantify what 
that was, but I think to some extent how the system was 
implemented has been wasteful. In any case where cards have 
been issued and the cards, I think someone said before, cost 
$82 for the first year, $36 per year for the next 4 years, for 
over a life of 5 years. When those are issued with that kind of 
outlay but they are still being used just for visual 
inspection, there is really no increase in security benefits.
    What we recommended is that we wanted to see more emphasis 
on putting together the security systems that will make the 
cards be able to be used, and also to align the acquisition of 
the cards with the ability to be able to optimize their use.
    Mr. Towns. Thank you.
    Ms. Evans, GAO says that because OMB directs agencies to 
distribute the new ID cards to employees according to a set 
time line, but does not also direct them to get the readers and 
equipment to use them, that money and resources dedicated to 
HSPD-12 implementations are actually being wasted.
    Ms. Evans. Sir, if we could step back, first and foremost 
about the money that is being wasted I think we should really 
look to see how many cards have actually been issued. It is 3 
percent. So it is 180,000 credentials out of the potential 2.5 
million for the Federal employees that we have to do. So I 
would actually say that we have been very mindful of the 
taxpayers' dollars going forward.
    What the program has really been focused on, and so this is 
why we should step back from card readers and really look at 
what HSPD-12 was intended to do. It is building off of existing 
programs that were already there. We had a program out in place 
that was looking at all of the IT investments, which we called 
e-authentication. We issued guidance back in 2003 for agencies 
to look at their IT systems, their physical access systems, all 
those types of things and assign a level of security risk 
associated with that.
    HSPD-12 builds off of that, but what is really important 
about HSPD-12 is getting a common business practice so that 
when Department of Commerce issues a credential, that DOD has 
trust in that credential; that they know that they have used 
the same business processes, that they validated that 
individual or that contract in the same way, that contractor in 
the same way, so that they can trust it.
    So what we have been really very focused on is the 
foundation across the Government, having agencies really look 
at what are those positions, who are those contractors, who is 
coming into your facility, should they even have access to your 
facilities, should they have access to your IT systems. That 
takes a lot of work for the agencies to really go back, look at 
that, and then fully vet those people in a standardized way so 
that once that credential is issued, if you as an agency then 
say, OK, Contractor A who is under a contract over at Commerce, 
now they are a contractor over here at DOD, I need to have them 
come into my facility. I need to have them access my systems. 
You can trust that credential. And then the level of trust that 
you are using, you know that you can start using these other 
features.
    But what is critical here is getting the foundation and 
those business processes normalized and harmonized across the 
Government so you can trust it.
    Mr. Towns. Thank you.
    I guess my real question is why hasn't OMB mandated the 
purchase for readers and scanners?
    Ms. Evans. Because every agency needs to go back. We have 
implementation plans of this. They are building this into the 
regular life cycle of their investments. Agencies have to look 
to see is that really what is necessary for each and every 
facility and have a full comprehensive plan. They are going to 
be doing that on a different time line.
    We put into policy the target date of the critical 
activities that we thought that they needed to have across the 
board in all agencies, but it varies. The implementation plan 
is going to vary, because what Department of Interior needs to 
have, you may issue identification cards for people that are 
out in the field but you don't have to have card readers going 
into Yosemite National Park.
    So what we are doing is working with each individual 
agency, having them analyze the risk, look at what they really 
need. Where do they need to have card readers? Is it 
appropriate to have the card reader? And then make sure that 
there is a program in place so that they can buy them and 
implement them in a very efficient way, which is what GSA has 
outlined.
    Mr. Towns. Let's hear from GAO on this.
    Ms. Koontz. Where to begin. It is true that Ms. Evans is 
correct, there have been few cards issued to date because none 
of the agencies meet the deadline for issuance. I think that is 
actually, in some ways, fortunate, because I think we have an 
opportunity to make a mid-course correction before we go on and 
issue new cards without being able to fully exploit their 
capabilities, so I look at that as an opportunity to get things 
back on course, and that is exactly what we recommended in our 
report.
    The whole issue of building the underlying security systems 
that allow you to use the electronic capabilities of the card, 
I think that is the foundation that we are talking about. Ms. 
Evans talked about needing the foundation, and I think that is 
the foundation that we have to work on, and we have to have 
goals for implementing that foundation, and we need to put more 
emphasis on that, rather than just emphasizing the issuance of 
cards, especially in cases where we are not ready to use the 
electronic capabilities.
    It may be true that a card reader may not be needed in 
Yosemite. I am not sure. But in the vast majority of cases you 
are going to want to use some kind of electronic 
authentication. You are going to want to read that card in 
order to authenticate the individual's identity, and you are 
also probably going to want to have some kind of visual 
inspection so that you have a couple factors of identification 
to make sure that yes, that is the person that they claim to 
be, and that card is authentic.
    Mr. Towns. Don't you think it is important to set some 
goals or mandates or do something? I figured you will come back 
here 2 years from now or 3 years from now and still be at this 
level.
    Ms. Koontz. I think what you see here is the power of goals 
and mandates. When OMB says what we are going to be tracking 
over time is the number of background investigations that we 
are doing and the number of cards that were issued, that is 
going to be the focus for Federal agencies, because that is 
what has been set out to them as the priorities.
    I think what we are asking for is to add other goals that 
have to do with establishing the foundation to best use of 
cards.
    Mr. Towns. I yield to the ranking member, Mr. Bilbray.
    Mr. Bilbray. Thank you.
    Karen, the evaluation was kind of disappointing. What is 
your reaction to it?
    Ms. Evans. As far as GAO's report, we use the reporting 
overall, and we recognize the power of setting targets and 
milestones, so I agree with both what you guys are saying. I am 
not necessarily disappointed that the credentials weren't 
issued, because we recognize that there were issues associated 
with that, and that is why we came out with additional guidance 
working with the agencies on what the problems were. We were 
using that information.
    There were several challenges going forward with this 
program. First and foremost, what we wanted to do, the 
technology didn't exist, and so industry rose up to that. NIST, 
in setting the standard, did it in less than 6 months, so this 
is a very aggressive program, but when you put it in the frame 
of implementing the recommendations of the 9/11 Commission it 
really falls behind the mark of improving the security.
    So I am disappointed from the aspect that we aren't further 
along, just like you are, but what we do believe we have done 
is made it a more comprehensive program, so when we talk about 
card readers and looking, you are only looking at one piece, 
which is physical access. We are also using this card for 
logical access, which is information security and system 
access. So that is where we have done a lot of making sure that 
the milestones are there. We issued additional guidance after 
the VA situation. We said that agencies had to use two-factor 
authentication. This card allows for that two-factor----
    Mr. Bilbray. Two-factor identification?
    Ms. Evans. Yes.
    Mr. Bilbray. What is that?
    Ms. Evans. So the idea of two-factor identification is 
something you have and something you know, so a password is 
something you know, the card would be something you have. You 
use the two of those in conjunction to make sure that the 
person who is getting on the system is the person who it should 
be.
    Mr. Bilbray. Ms. Dillaman, the backlog concerns, are you 
able to use biometrics in your background checks?
    Ms. Dillaman. Yes, sir. Every background investigation 
includes a biometric check of the FBI's record. So to the 
extent that there is a biometric name base search conducted, 
that is universally applied across Government.
    Mr. Bilbray. You get into the FBI files, just like most law 
enforcement. Can you go into the INS files?
    Ms. Dillaman. Biometrically, no.
    Mr. Bilbray. Why not?
    Ms. Dillaman. We have no biometric exchange system in INS.
    Mr. Bilbray. Mr. Chairman, every immigrant coming into this 
country is now being biometrically read. Every immigrant 
legally entering into the country is put into the system. Every 
illegal immigrant who is detained is put into the system. Now 
we have a background check that can't access those codes.
    I am concerned that these kind of firewalls--and I am not 
blaming you for it, I just think that one of the things that we 
need to talk about is the fact that we have a data base system 
over there. And it is not just you, it is local and State law 
enforcement, too, that we have these firewalls that were 
developed after the Watergate fiasco so that now we are still 
out there, and I am just concerned about the ability. I think 
anybody would say it is reasonable that you should be able to 
have access to all the Federal records that may be able to 
detect that somebody coming in under one name is not exactly 
what they say.
    Ms. Dillaman. And perhaps maybe I can alleviate some of 
those concerns, because we are working with Homeland Security 
and the FBI, tying those three systems together, so that INS' 
records of concern are available to us through that biometric 
search that we send to the FBI. Every fingerprint that I 
receive, whether I receive it electronically or hard copy, if I 
get a hard copy I immediately convert it to a digital image, 
which allows me to move that around system to system. I 
transmit the image to the FBI, and the FBI can cross-reference 
that with INS' records.
    I think we are on the cusp of being exactly where you would 
like us to go.
    Mr. Bilbray. I am trying to make a point that the D.C. 
snipers, if the one immigrant had not committed a misdemeanor, 
even though we had the fingerprints at a murder site, law 
enforcement would not have been able to know about this except 
for the fact there was a misdemeanor and so the record was 
transferred out of INS' records over to FBI to where then the 
Alabama officials were able to detect it. That just shows you 
how close we were not to catching this guy. Thank God he 
committed the misdemeanor so that we could stop the killing 
spree.
    That is a major concern of mine, but we are using the 
biometric fingerprinting system as first sweep right across the 
board, right?
    Ms. Dillaman. Absolutely.
    Mr. Bilbray. And now when we are going in with 
implementation of real IDs, States are now going into a data 
bank based on all the new drivers' licenses, too?
    Ms. Dillaman. Yes.
    Mr. Bilbray. OK. Thank you very much. I appreciate it.
    Thank you, Mr. Chairman.
    Mr. Towns. Thank you.
    Ms. Dillaman, we hear from OPM that the security clearance 
backlog has been eliminated and the OPM has exceeded the 
requirements of the 2004 intelligence reform law, but Federal 
agencies and entities say they still have a serious problem 
with backlog and delays from OPM, and they are very skeptical 
of your claims that the backlogs are gone. Can you be very 
precise in explaining what you mean when you say there is no 
backlog?
    Ms. Dillaman. Certainly, sir. We track every investigation, 
and every single hand-to-hand process with that, so my data is 
hard and accurate, and we have been measuring every 
investigation, beginning to end, with those types of metrics.
    The best way I can demonstrate the backlog elimination was 
7 years ago, when we merged the program with Defense Security 
Service's program there was a pending backlog investigations 
inventory of over 700,000 investigations. We do 2 million a 
year, the combined organizations. The 700,000 was over twice 
what it should have been if you were processing cases timely 
and current.
    Today our inventory is around 285,000 total investigations 
of all types--national security, public trust, and basic 
suitability investigations.
    The percentages I gave you, mid-60 percent of all initial 
national security investigations averaged in the mid-60 days. 
That was 80 percent, I am sorry, in 60 days. These are hard and 
fast numbers.
    Anecdotally, are there investigations that take much 
longer? You bet. There are investigations that probably should 
take a while because there are issues developed that we had to 
explore. We have problems accessing third-party information, 
but 145,000 people had the initial clearance investigations 
done in under 45 days last year, too. It is usually the ones 
that are delayed that are getting the most attention. But by 
pulling enough resources, Federal and contractor combined, 
dedicated to the background investigations program, working to 
improve access to the information critical to the process--and 
it is building electronic bridges between us and Federal 
agencies, all 50 States, and over 20,000 local law enforcement 
agencies. By getting our automation systems, we have been able 
to do that.
    I think it took a long time for everyone to identify just 
how bad it got in the year 2000, and it has taken a long time 
to notice this improvement, as well. But that is where we are 
at today. There is no backlog because of insufficient 
resources.
    Mr. Towns. Let me ask you, Ms. Farrell, if you have any 
thoughts on that issue. I know you did a lot of work with this.
    Ms. Farrell. Certainly. GAO has done a lot of work in this 
area over the last three decades, and the backlog that Ms. 
Dillaman is referring to, GAO reported in 2004 about the fact 
that DOD did not at that time even know what the backlog was. 
We went in and we calculated it with help from the agencies and 
made recommendations regarding how DOD could get control of the 
backlog, and suggested that they had a plan to move forward.
    There have been a number of positive steps, as my colleague 
noted in her opening statement, in terms of what the agencies 
have done, including OPM and OMB, in trying to manage the 
backlog. The question here is what is your definition of a 
backlog. We have not looked at that for a couple of years. We 
have started work in February to go in and look at the 
timeliness and the quality of investigations and adjudications 
for the DOD program, as well as we will be starting up work 
looking at the Intelligence Committee. But our understanding is 
that OPM, when they look at the backlog, they are looking at 
investigations that have been done in 180 days versus the 
Intelligence Reform and Terrorism Prevent Act that requires 
that investigations, as she has noted, be done within 90 days 
for the investigation part. So I think there is still a great 
deal of work to be done in the area of the backlog.
    But, again, we don't have hard and fast data. We are in the 
middle of looking at that to see what is the backlog, not just 
for investigations but adjudications, as well.
    Mr. Towns. We have heard the need for reciprocal 
clearances. If I receive a security clearance in order to work 
for one agency, that clearance ought to be good enough for 
another agency, especially because the guidelines for 
adjudication come from the administration. Why are agencies 
still being allowed to refuse to recognize each other's 
clearances? Why?
    Ms. Farrell. Do you want me to take that? We think it may 
be because of the quality, the quality of the investigations. 
There are Federal guidelines that the adjudicators, as well as 
the investigators, are supposed to adhere to, but the metric 
that has been missing for all six phases of the clearance 
process is quality metrics. OPM has reported for one of the six 
phases that for the investigative phase that they do look at 
the number of investigations that are returned because they are 
incomplete, and they count that as one of the metrics, but we 
think that there are a number of metrics that should be used 
from the time that DOD or the other agencies determine the 
requirements, as well as the application submission process, 
the investigation process, the adjudication process, the appeal 
process, and if there is a need to reopen the case.
    Again, there are six phases of the clearance process, and 
there are not metrics for all six to determine the quality. 
Thus, the reluctance, I think, of some agencies to accept a 
clearance from another one, not knowing which standards have 
been adhered to.
    Ms. Dillaman. If I may, I think there is also some 
confusion about reciprocal accepted security clearances and 
suitability determinations. It is true that a security 
clearance is reciprocal acceptable. If you obtain the top 
secret level of one agency, you can and should move seamlessly 
to another position requiring a top secret clearance.
    When it comes to determining basic suitability for a 
position, however--and Federal civil servants are held to 
suitability standards--there are some position-specific 
requirements. Past drug use may not be an issue in some 
agencies, but it very much may be an issue in DEA. The former 
Smith Amendment that precluded security clearances in some 
agencies but not all might have meant that someone could have 
had a felony conviction with one agency and had a clearance, 
but have been able to move seamlessly, reciprocally to the 
Department of Defense.
    Now all of those issues are being worked on, including 
providing transparency into the suitability determinations. So 
if individuals determined to be suitable for a job but may not 
be suitable, specific position factors have to be considered. 
We have to add transparency into that issue, as well.
    Mr. Towns. Is that because you are using contractors?
    Ms. Dillaman. No, sir. Not at all. The contractors who are 
used to do the background investigations are trained and 
cleared to exactly the same level as their Federal 
counterparts. They are held accountable to the same standards 
of performance.
    Mr. Towns. I just think that some way or another if a 
person is cleared, I mean, there should be some kind of working 
relationship here that everybody could sort of respect and 
accept and move forward on.
    Ms. Dillaman. And to support that, one of the mechanisms 
which we do have in place is that if you went to work for the 
Department of Treasury, for example again, and have a top 
secret clearance, you then move to Homeland Security and 
Homeland Security asks for a new investigation, that would be 
denied. We would reject Homeland Security's request because a 
sufficient investigation is on file that supports you being 
reciprocally moved, accepted into another agency.
    Mr. Towns. Let me move then to you, Mr. Sade. The FIPS 201 
card relies mainly on integrated circuit chip for security. 
This chip stores data and communicates with the card readers. 
Isn't it true that chip can be imperceptibly destroyed by 
kinking it with a sharp object, even your fingernail? I would 
also like to hear also from you, too, on that, Ms. Evans. Is 
that possible?
    Mr. Sade. If the card is left exposed, I believe that is 
possible, but all the cards are issued with a card holder to 
protect it.
    Ms. Evans. Well, I mean, I don't have anything other than 
what you have said. I mean, technically that could happen. You 
could destroy the card. You could mess up the way the card 
works. You can do that now on a credit card by putting two 
magnetic strips together. You can do that on a whole lot of 
technical cards. I mean, we do take the precaution by making 
sure that there are protective covers associated with the card 
so that you can slide them in and out and be able to read them 
appropriately and put them into card readers, so that can 
happen, but that can happen on any technical device or any type 
of card.
    Mr. Bilbray. Mr. Chairman, I want to go home and put all my 
wife's credit cards together. [Laughter.]
    Mr. Towns. Good idea.
    Mr. Bilbray. But, I guess, to followup on it, is this very 
much different than the technology that has been used in the 
Metro for over 15 years, and that is the electronic reading 
capabilities that they had there? Do you know?
    Ms. Evans. It is enhanced. There are several things that 
are on the card, and that is what is outlined in what we call 
the FIPS, the Federal Information Processing Standard, so there 
is a lot more information, but it does have a strip, so it is 
using something similar but there is a lot more information 
that is encoded on the card.
    Mr. Towns. Let me thank you very, very much, of course, for 
your testimony. I see we still have a long way to go, and of 
course we have I think the question that I really want to 
raise: is it the lack of resources? I mean, what else do you 
see that might be a problem here as to why you are not being 
able to have more? Is it 3 percent?
    Mr. Bilbray. I mean, you have to worry about why aren't the 
readers out there, and you say because we only have 3 percent 
out there. Then the problem isn't that the readers aren't out 
there; the darned cards aren't out there.
    Mr. Towns. Yes. So what do you see that needs to be done? 
Is there anything that needs to be done to sort of help 
facilitate this?
    Mr. Bilbray. And to back that up, do you want to comment on 
the GAO's recommendation that you set reasonable limits and 
have your Departments articulate how they are going to fulfill 
those goals?
    Ms. Evans. First, on the GAO report, I would say that most 
agencies would argue that we have set really aggressive dates, 
and the public would say we set really aggressive dates. I 
would concur with you that the dates aren't aggressive enough.
    However, as far as setting milestones out into the future, 
again, we are working with the agencies on a case-by-case 
basis, so where you could help and how we are talking about 
this is that it is hearings such as this and then going back 
and asking the agencies about the risk and how they are 
assessing the risk and what is their overall security posture 
of what they want within their departments and their agencies.
    This is one thing that makes it a little bit more 
difficult. This is where a Secretary is willing to live with 
how much risk, and when you know that, then OMB can work and 
aggressively help that agency achieve that.
    We are looking at all of the security initiatives across 
the board, the information security ones as well as the actual 
systems. And when I see an agency that doesn't have a good 
report in from its Inspector General on certification and 
accreditations related to how they assess risk, I am putting my 
efforts into how are you doing that, because then I really am 
going to have the agency waste taxpayers' dollars if they are 
just trying to be compliant with OMB mandates and hitting 
milestones.
    Mr. Bilbray. Well, in that GAO report they specifically 
gave you a vehicle that businesses used all along, and that is 
a detailed explanation of how you are going to reach your 
goals, with a specific plan, rather than just having arbitrary 
numbers, this is our goal, this is how we are going to do it.
    Ms. Evans. We have those.
    Mr. Bilbray. Those plans, in fact, can warn you that maybe 
you don't have the right goals.
    Ms. Evans. But we do have those plans, and we have the 
plans for all the security initiatives across the board, and we 
are looking at those. The GAO report is looking at HSPD-12 in 
isolation and it is not looking at the security posture of the 
agency as a whole, looking at the other types of activities and 
the other guidance that we have put in place, like our data 
breach guidance that looks at both physical and logical and 
says, When are you going to have encryption, and when are you 
going to have the two-factor authentication, and when are you 
going to meet all of these types of activities. This is a key 
initiative, and if you are not going to have encryption in 
place until 2010 and you will have these in place, and then you 
are not going to be sure who all is in place, we are looking at 
all of those across the board.
    Mr. Bilbray. I understand that, Ms. Evans, but, to use the 
analogy I started off this hearing with, that would be like the 
Army saying you are right, we need more body armor in the 
field, but we are also looking at now the armored Humvees, and 
that is something we have to consider when we are talking about 
the body armor.
    The fact is that the crisis, the fact that there has been 
so little movement done that there needs to be some priorities 
made here. And this was a very simple one that was laid out not 
just by the President, but by the men and women that studied 
the 9/11 situation and said this is our No. 1 Achilles heel in 
the United States. It doesn't say there wasn't enough cops, 
enough bombs, enough tanks; it said enough IDs and a secure 
identification system for this country is absolutely essential.
    Ms. Evans. Sir, I am not disagreeing with you, sir. I agree 
with you. But it is not the actual card issuance that is the 
measure of that, it is the business process prior to issuing 
the card. So OMB is very sensitive to when we establish 
milestones, that we want to make sure that agencies just aren't 
complying and doing volume without really achieving the goal of 
the improved security, as you stated.
    Mr. Towns. Is this equipment widely available for purchase? 
I am getting the feeling that something else is going on here. 
Is it?
    Mr. Sade. As I mentioned, we had the shared service model 
for those 70 agencies that are going through us, and we are 
still in the process of deploying the 225 enrollment stations. 
But part of the service we provide, part of the General 
Services Administration, we have what we call the GSA schedule 
contract, Schedule 70, which is for information technology. We 
have gone through, working with NIST, and tested anybody that 
wants to put their equipment and make it available for sale 
across the Federal Government, and they put that equipment on 
their scheduled contract, and we test it before it goes on. I 
believe Ms. Evans in her testimony mentioned the 300-plus 
products that are available today on those schedules.
    I would also note that those schedules not only are 
available for use by the Federal Government; they are also for 
use by State and local. So if State and local governments want 
to buy complying equipment, it is available to them, as well.
    Mr. Towns. Let me ask you this, Mr. Wiesner. Several 
Federal agencies, including the Department of Labor, have opted 
not to use GSA service for complying with HSPD-12. Labor told 
our staff they were not convinced that GSA would be able to 
meet OMB's deadlines; however, GAO reports that Labor is not in 
good shape to meet OMB's deadline, either. So is Labor equipped 
to comply? I just don't know what is going on here.
    Mr. Wiesner. Well, we went out on our own. As I said in my 
testimony, we did not have an identity management system at the 
Department of Labor prior to HSPD-12. We had a simple data base 
that issued a dumb badge for Federal employees. We had a hard 
time managing contractors, etc. You saw the added dollars to 
build out an identity management infrastructure to pay benefits 
not only for HSPD-12 for cards, physical access, logical 
access, but integrated into some future planned initiatives 
like our H.R. system, so we could make it part of the hiring 
process as well as the determination process, strengthening our 
contractors and knowing who our contractors were and who had 
clearances. So we saw that investment back in April 2006.
    We are very serious about meeting the first October goal 
from OMB which said you have to issue at least one card by 
October 27, 2006, so we took that very seriously and looked at 
how we were going to meet that and in April 2006 we had to make 
a decision to go to shared service provider or build out this 
infrastructure, and as I mentioned we treated this as an IT 
investment, looking at the whole benefits of the dollars we 
were about to spend and made the choice that it was worth the 
investment to build out our own infrastructure and start 
issuing cards to meet the OMB mandates in October 2006, as well 
as the subsequent milestones that have been laid out upon us.
    As I also testified then, since GSA has now made readily 
available many enrollment and issuing stations around the 
country, perhaps upwards of 15 percent of employees will go to 
a GSA shared service center.
    Mr. Towns. What percent?
    Mr. Wiesner. About 10 to 15 percent. We are at 60 percent 
now. We have issued as of early this week over 11,000 badges to 
our 15,000 employees. We are well over 67, 68 percent. As you 
go out to the smaller locations, it becomes cost prohibitive 
for us to do this on our own. That is when we will go to GSA 
and go through the GSA process and pay the card fees associated 
with the shared service model. We fully intend to use that 
model where it makes financial sense, as well as to get to 
those employees that need a card. We are targeting to be as 
close to 100 percent as possible by October of this year.
    Mr. Towns. You have the funding?
    Mr. Wiesner. Through fiscal year 2008, yes.
    Mr. Towns. Let me thank all of your for your testimony. We 
look forward to working with you to try and move forward. You 
know, 3 percent is not impressive. I guess you know that. I 
think my colleague mentioned about three or four times 3 
percent. I think that isn't right. That is not acceptable. I 
think we have to move much more aggressively. Just 3 percent?
    Anyway, thank you so much for your testimony. We appreciate 
the work that you are doing. Thank you.
    Our next panel consists of Robert Zivney, vice president, 
marketing, Hirsch Electronics, representing the Security 
Industry Association. Welcome.
    We also have Mr. Benjamin Romero, Chair of the Information 
Technology Association of America Security Clearance Reform 
Task Group, representing the Security Clearance Reform 
Coalition.
    It is a longstanding policy of this committee that we 
always swear in our witnesses, so will you please stand and 
raise your right hands?
    [Witnesses sworn.]
    Mr. Towns. Mr. Zivney, you may start. What we do is that we 
allow the witnesses 5 minutes to sum up, and then we would have 
a question and answer period after that, so if you could make 
your statement within 5 minutes, we greatly appreciate it. We 
have a light that starts out with green and then goes to yellow 
to let you know that your time is almost up, and then when it 
comes to red that means your time is up.
    You may start.
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    Mr. Zivney. Chairman Towns, Congressman Bilbray, members of 
the subcommittee, thank you for the opportunity to testify 
about the implementation of Homeland Security Presidential 
Directive 12. My name is Rob Zivney. I am the vice president of 
marketing for Hirsch Electronics, headquartered in Santa Ana, 
CA. Hirsch Electronics is a manufacturer of physical access 
control systems for non-residential markets, including the 
Federal Government.
    I am honored to testify today on behalf of the Security 
Industry Association [SIA], which represents 400 manufacturers, 
integrators, and dealers of electronic security equipment. SIA 
members provide solutions for physical security to protect 
people and property of America in their schools and hospitals, 
their airports and seaports, their factories and offices, and 
especially their buildings of government.
    SIA members are committed to offering assistance to ensure 
the successful implementation of this directive in all Federal 
agencies.
    Mr. Chairman, HSPD-12 and the associated standards 
developed by NIST, specifically the identity vetting process, 
forms a far stronger foundation for security than we have ever 
seen.
    Routine access transactions are enhanced by the use of the 
credential bearer's fingerprint templates derived from the same 
fingerprints used in the background check process. However, SIA 
believes that cost and time required for implementation of 
HSPD-12 were underestimated by OMB. Traditionally, the 
functions of authentication and authorization resided with the 
administrator of a local physical access control system [PACS].
    As a result of HSPD-12 and FIPS 201, the accountability for 
authentication now resides with the credential issuer, while 
authorization remains a function of the PACS.
    The development of this new shared infrastructure presents 
a significant learning curve for us all.
    Mr. Chairman, implementation of HSPD-12 is a true 
pioneering effort. It requires those responsible for human 
resources, information technology, and security to cooperate on 
an unprecedented level. Although HSPD-12 may not draw the 
attention of our Nation's major media outlets, the world is 
watching. In spite of technical and procedural challenges, our 
own success has attracted the scrutiny of other nations and 
local governments and private industry.
    In our view, an identity credential that uses fingerprints 
and public key infrastructure [PKI], will revolutionize global 
standards for security, and promises to, over time, conserve 
taxpayer dollars. However, absent clear guidance and 
specifications for systems that use the PIV card, some 
manufacturers are absorbing substantial development costs to 
produce next generation systems that use the card. That work is 
being conducted without access to operational PIV credentials 
necessary to develop and test associated products.
    Mr. Chairman, this situation is exacerbated by the fact 
that GSA has had to design a specification for the credential 
readers while developed product and service evaluation 
programs, a role it has never undertaken in the past.
    The GSA approved product list is inferred from NIST 
documents which are substantially silent on the use of access 
control systems. Unfortunately, GSA restricts the approved 
products to being procured from GSA Schedule 70, an information 
technology schedule. This is unfortunate because physical 
access control systems and components are assigned to Schedule 
84, where they have always been.
    Multiple schedules make it difficult, both for the 
manufacturers developing and submitting products and the 
Government purchaser attempting to assemble the systems. HSPD-
12 products need to be available from both Schedule 70 and 
Schedule 84.
    Despite challenges, some agencies are doing an exemplary 
job of providing credentials for employees and upgrading their 
infrastructure to meet the requirements of HSPD-12.
    In conclusion, SIA offers the following recommendations:
    SIA encourages this subcommittee to direct OMB to 
establish, within its Office of E-Government Information 
Technology, a dedicated team of professionals who possess 
substantial knowledge of physical security technologies and 
applications. This team would support the ongoing efforts of 
the Interagency Security Committee [ISC], which is charged with 
developed physical security policies, standards, and 
strategies.
    We also recommend that OMB establish a policy for 
implementation of physical security similar to its policy 
establishing guidance for the processes leading up to the 
issuance of the PIV II credentials. The policy must recognize 
that the PIV card is not compatible with most installed base 
packs currently in use, and the packs will have to be, at a 
minimum, upgraded, and most likely replaced.
    Finally, we encourage you to consider SIA as a resource for 
the effective use of the PIV credential with physical access 
control systems.
    Thank you for the opportunity to testify today.
    [The prepared statement of Mr. Zivney follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Towns. Thank you very much.
    Mr. Romero, 5 minutes.

                  STATEMENT OF BENJAMIN ROMERO

    Mr. Romero. Good afternoon, Mr. Chairman, ranking member, 
my name is Ben Romero, and I speak to you as the chairman of 
the Intelligence Committee of the Information Technology 
Association of America and on behalf of the Security Clearance 
Reform Coalition.
    Thank you for this opportunity to discuss a reform of the 
current granting process. In addition to these oral comments, I 
ask that the committee accept our attached written 
recommendations that expand upon the issues we feel are 
critical to addressing this persistent problem.
    Industry has used a simple mantra to explain what we 
believe will bring about transformation of the clearance 
granting process. One application, one investigation, one 
adjudication, and one clearance. We seek an internet-based 
application that collects information electronically and forms 
the basis for an end-to-end digital process that creates a 
record that can be amended by investigators, adjudicators, and 
security officers for the life of the clearance, an 
investigation that would be timely, uniform, and thorough in 
its processed end product, an adjudication where an applicant 
is judged using updated, viable, post-cold-war criteria, and a 
clearance that is accepted across the Federal Government with 
minimal additional vetting.
    In looking at the clearance granting process and its 
effectiveness, the committee should examine the reports of the 
industry-led working group of the National Industry Security 
Program Policy Advisory Committee, which recently analyzed 
actual results from clearance processed through DSS and DISCO. 
This task force found that, on average, secret clearances took 
more than 200 days, top secret clearances took more than 300 
days to process in 2007. This was an end-to-end analysis 
measuring from the time an applicant was given access to 
complete the online SF-86 provided on the electronic 
questionnaire for investigative processing Web site, e-QIP, to 
the point when the adjudicators determine whether or not a 
clearance was granted.
    Even more alarming is the finding of the working group 
regarding investigations for top secret clearances, where the 
trend line has grown to more than a year, and currently tops 
out at 540 days.
    There are a number of conditions that bear mention because 
they are impacting the effectiveness of the end-to-end process. 
These include an inability to accurately forecast budget needs 
in some agencies, an inability in most applications to accept 
electronic attachments like release forms and digital 
fingerprints, an inability to identify additional case codes 
that frequently cause a case to be reopened for further 
investigations and the out-of-sync applications used in e-QIP.
    Industry believes that many of the problems that cause 
delays with the current process are rooted in the investigative 
stage. These include the ineffective marriage of e-QIP 
applications with fingerprint cards and release forms, too much 
touch labor in the investigative stage of the process, 
including printing of electronic records, because PIPS is 
incapable of saving attachments like criminal or electronic 
records--they bar code and scan documents rather than use two 
electronic records--and the mailing of investigative files back 
and forth between OPM and their field investigators.
    The subcommittee has highlighted today an issue industry 
has long noted with concern. While we fully support HSPD-12 and 
the effort to create greater assurance for all Government 
employees and contractors through new identification measures, 
we have been concerned about the sapping of resources for the 
underlying investigations. HSPD-12 background checks are 
national agency checks with local agency checks, very similar 
to the level of commitment of resources for secret clearances. 
We have been concerned that this would be insufficient 
Government resources to adequately devote to the HSPD-12 
checks, while working to improve the clearance process.
    It is our hope that all those holding current positions of 
trust that require the NAC check or greater will be approved 
under that portion of HSPD-12.
    We are cognizant of what is going on in OSD, OPM, ODNI as 
they try to revamp the clearance. We are behind it 100 percent.
    The nine associations of the Security Clearance Reform 
Coalition again thank the subcommittee for the opportunity to 
highlight our perspectives in these deliberations, and we hope 
that 2008 will finally be the year that we see solutions 
implemented.
    Thank you, sir.
    [The prepared statement of Mr. Romero follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Mr. Towns. Thank you very, very much for your testimony.
    Let me begin with you, Mr. Zivney. You propose that OMB 
establish a dedicated staff of security professionals to 
coordinate with the private sector on HSPD-12. The report from 
GAO leads me to think that OMB does need some help. Can you 
describe what advice you would give OMB right now in order to 
get the most out of HSPD-12 moving forward?
    Mr. Zivney. I think the focus has perhaps been on the hard 
part, and that was to get the cards out, get the infrastructure 
in place to issue the cards, and now we are really moving into 
phase two, and that is using the cards. If we are going to use 
the cards in a physical access control system, this takes 
skills that go beyond what you might often find in e-
authentication or in focus group. And I know they are focused 
on issuing the card.
    The disciplines of physical access control systems are 
different. I know there was some talk of authentication 
factors. We typically think of a card or a pin you type in on a 
keypad or a biometric as an authentication factor, and we see 
PKIs an enhancement to that, but we need to make sure that, 
from a physical security point of view, we normally have a 
threat level adjustment. We just want to add more factors and 
have that scaling.
    Currently, FIPS 201 is silent on all the physical access 
control systems. We think that someone needs to provide a 
little better insight in there, and we need some focus. SIA 
would be glad to assist with some of that guidance, but if we 
are going to apply it and use it in physical access control 
systems, we need to have skill sets and disciplines and 
knowledge of those techniques.
    Mr. Towns. All right. Thank you.
    What do we do? What can we do to speed this up? I mean, I 
think that is what I am asking.
    Mr. Zivney. We are disappointed it has taken so long. I 
don't believe that there is a lack of urgency with anybody. I 
think it was a very bold move. As we said earlier, I believe, 
that NIST rushed out those specifications in 6 months. Perhaps 
we went too fast at times.
    If we can involve more industry some time before specs are 
released, if we have comment periods that really seek to 
understand the comments of industry when they submit them, and 
more dialog at this point, we build on what we have laid on a 
foundation. I think we can move faster by slowing down a little 
bit at this point. I think someone made that statement. This is 
a good time to do an assessment and really focus on usage next 
while we are continuing to issue the cards.
    Mr. Towns. Thank you very much.
    Mr. Romero, it is clear that you consider security 
clearance reform to be an urgent issue and that it requires 
immediate attention. You described some changes that you say 
could be made quickly, changes that have already been made in 
some agencies, as you indicated. What are some of those 
possible changes? What are you talking about?
    Mr. Romero. Well, sir, I believe that the biggest thing we 
can do, the best thing we could do, is scrap the process that 
we have right now and come out with one that really, truly uses 
IT. We are trying to use something that has been in existence 
for so many years that what we are doing is taking baling wire 
and trying to keep it together so that it continues to process. 
When you go out and take fingerprint cards, scan them, then 
send them across ether and say that you are doing IT in today's 
world, we are not. We are still operating in yesterday's IT 
environment, or whatever the environment was.
    I picked up my clear card here recently. My fingerprints 
were taken, my eye was taken. That can be used as things go 
forward. As we are looking at the checks, as we are improving 
the security clearances, there is all kinds of information that 
is out there available that is used by just about everybody 
else except the Government to find out if you are even 
qualified to hold a security clearance. They check all of us.
    All our information is out there available to be checked, 
whether they are insurance records, whether they are Government 
records, whether they are tax records. All of those are 
accessible, but we don't touch those. We go out and ask 
questions that were asked and based on cold war era, asking my 
neighbor if I am a trustworthy American. I might not have 
talked to my neighbor but once in the past year because of the 
types of hours a lot of people hold.
    That is the gist of what I am talking about, sir, where we 
are still operating in the past.
    Mr. Towns. So basically you are saying that one size should 
fit all. Is that what you are saying?
    Mr. Romero. Not necessarily. One size can fit all to start, 
and then you can add to it. If you have a basis, if you take 
the NAC as a basis and find out, hey, does that person have a 
drinking problem, hey, has his bank account really rapidly 
grown, those types of things that can be done very simply and 
easily to start with might grant you at least the initial level 
of clearance. Then, as you need more because you are going to 
be working--and I worked as an intelligence officer for most of 
my life--then they start asking additional questions and 
finding out more about your background to go from there.
    Mr. Bilbray. Mr. Chairman, can I be recognized?
    Mr. Towns. I think it is your time now.
    Mr. Bilbray. I think the point is that maybe one size 
doesn't fit all, but the shoes all should be built in the same 
basic form, and then if they need to be used for duck hunting 
you modify them a little bit for this, or for deer hunting 
here, or for tennis you do this. So, in other words, there 
needs to be sort of a general production line that is upgraded 
that we are not going back and using some antiquated concepts. 
That is a real concern I have.
    I saw how far California went in the 1970's by going to the 
Cal ID and getting digital readings of everybody that got a 
driver's license, which made huge breakthroughs, and so I am a 
big supporter of this. But the problem is getting them to get 
out of the paper and into electronic.
    I have no real questions except for a comment. If there is 
anything that you guys see that we are not doing working with 
the private sector on this issue, we need to know about it, 
because we have seen what everybody else is doing.
    I was appalled, Mr. Chairman, when we had the breach of the 
disc on our nuclear defense strategy disappear, and I was 
absolutely blown out that you could actually go in to 
Livermore, pull it off the shelf, and there was no record of 
who was in the vault and there was not even an electronic 
reader telling you when the disc was taken out of the vault. 
When that disc leaves that shelf, that slot, it should say it 
is gone as of this time, and we should have a record of who is 
in the vault because they used electronic access that showed 
them in there. That would have been the most simple thing in 
the world to take care of if we had the right data bases and 
the right type of inventory control using electronics rather 
than depending on antiquated World War II technology.
    Thank you very much. I actually think that this issue goes 
a lot farther. I have been discussing with the White House why 
all Federal identification in the United States is not upgraded 
to the real ID standard that we set for the others, including 
the Social Security card.
    If there was going to be an embarrassment, Mr. Chairman, 
explaining to your children or your grandchildren why we are 
still using a piece of paper and a number as our No. 1 ID for 
employment in this country, that has not been upgraded since 
1937. I sure tell you I start understanding why people think 
there is a conspiracy in this country not to protect us because 
how do you justify that. I can't think of a State or a private 
sector that would justify having a piece of paper and a number 
as its foundation of identification.
    Any comments before we relieve you gentlemen? Does the 
chairman have some more questions?
    Mr. Towns. No. I am actually finished, just to say to you, 
though, that when you say Social Security, you would be amazed 
at how many people are walking around that do not have one and 
have not had one in many, many years. I think you would be 
amazed.
    Mr. Bilbray. I am not. I haven't had once since I was a 
lifeguard.
    Mr. Towns. How many people in the room have a Social 
Security card in your pocket? Raise your hand.
    [Show of hands.]
    Mr. Bilbray. By the way, they recommend you never, never 
carry your Social Security card around. Never. That is the No. 
1 no-no, because you have your credit cards, your ID, and your 
social. Forget it.
    Mr. Towns. Just remember your number.
    Let me thank you. I really appreciate your coming in. Your 
entire statement will be placed in the record. Of course, if 
you have any other suggestions or comments, we would definitely 
appreciate it.
    I agree with you. I think that there is a desire to move 
forward. I don't question the witnesses that were before us 
today in terms of their commitment and their dedication. But 
something is wrong that we can't move forward. I am not sure 
what it is. That is the whole thing.
    I think you helped us some, because when you look at the 
fact that we only have 3 percent, and I think the commitment 
and dedication is there, but something else is missing. Maybe 
you guys can help us figure out what that is and be able to 
move it forward.
    I want to thank you again for coming. We appreciate your 
testimony.
    The hearing is adjourned.
    [Whereupon, at 3:45 p.m., the subcommittee was adjourned.]

                                 

